module
Apache Druid JNDI Injection RCE
| Disclosed | Created |
|---|---|
| 02/07/2023 | 06/24/2023 |
Disclosed
02/07/2023
Created
06/24/2023
Description
This module is designed to exploit the JNDI injection vulnerability
in Druid. The vulnerability specifically affects the indexer/v1/sampler
interface of Druid, enabling an attacker to execute arbitrary commands
on the targeted server.
The vulnerability is found in Apache Kafka clients versions ranging from
2.3.0 to 3.3.2. If an attacker can manipulate the sasl.jaas.config
property of any of the connector's Kafka clients to com.sun.security.auth.module.JndiLoginModule,
it allows the server to establish a connection with the attacker's LDAP server
and deserialize the LDAP response. This provides the attacker with the capability
to execute java deserialization gadget chains on the Kafka connect server,
potentially leading to unrestricted deserialization of untrusted data or even
remote code execution (RCE) if there are relevant gadgets in the classpath.
To facilitate the exploitation process, this module will initiate an LDAP server
that the target server needs to connect to in order to carry out the attack.
in Druid. The vulnerability specifically affects the indexer/v1/sampler
interface of Druid, enabling an attacker to execute arbitrary commands
on the targeted server.
The vulnerability is found in Apache Kafka clients versions ranging from
2.3.0 to 3.3.2. If an attacker can manipulate the sasl.jaas.config
property of any of the connector's Kafka clients to com.sun.security.auth.module.JndiLoginModule,
it allows the server to establish a connection with the attacker's LDAP server
and deserialize the LDAP response. This provides the attacker with the capability
to execute java deserialization gadget chains on the Kafka connect server,
potentially leading to unrestricted deserialization of untrusted data or even
remote code execution (RCE) if there are relevant gadgets in the classpath.
To facilitate the exploitation process, this module will initiate an LDAP server
that the target server needs to connect to in order to carry out the attack.
Authors
RedWay Security Jari Jääskelä
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/multi/http/apache_druid_cve_2023_25194
msf /(4) > show actions
...actions...
msf /(4) > set ACTION < action-name >
msf /(4) > show options
...show and set options...
msf /(4) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.